After news emerged over the weekend about many Safari browser users being concerned over Apple sharing their data with Chinese safe browser partner Tencent, the company has released a statement in which it reiterates that it does not share website URLs with its safe browsing partners.
In case you don’t know, Apple sends data to Google and Tencent to cross-check whether the URL is on a blacklist. This, it says, is to protect users against malicious sites and other scams.
In the statement, Apple says that Tencent is only used when the user’s regional location settings indicate that they are in China. Users in the US, the UK and elsewhere do not have their website browsing data sent to Tencent.
Safari now and again gets a list of malicious URLs or hash prefixes from Tencent or Google, and then selects which list to use based on the user’s regional settings.
Hash prefixes are identical across a list of URLs, i.e. the hash prefix sent to Safari does not identify a unique URL.
If the fraudulent website warning is set to ‘on’ in Safari (this is on by default), the browser checks whether the website that the user is about to visit has a hash prefix match on the malicious site list.
If this is the case, the browser sends this hash prefix to Google or Tencent and requests the full URL list for that particular hash prefix.
Once Safari receives that list, it checks whether the URL that the user is about to visit is on the list. If it is, the browser shows a warning. The final URL check is done on the user’s device, so the actual URL is never sent to Google or Tencent.
Here’s the big but though: your device IP address is in fact shared with the safe browsing partner. This means that this ‘partner’ knows your exact geographical location.